Managing risk using risk-based alerting in Splunk Enterprise Security

One of the primary challenges that security analysts face is that risk-based alerting can generate as many notables as traditional alerting. Additionally, if risk-based alerting is not curated, you might create duplicate risk notables.

While risk notables provide context during security investigations, an excessive number or duplicate risk notables from normal business activities, can confuse analysts and impede their ability to detect threats.

To get the maximum value from risk-based alerting in Splunk Enterprise Security and curate risk in your security operations center (SOC), you can adjust your risk incident rules. For example, you might want to reduce risk when defining your search based on your assessment of predictable events such as expected activity spikes during certain times of day or during the installation of new tools in your security environment.

You can also adjust the risk notables based on how they might relate to each other, and the potential threat associated with a specific risk notable.

Additionally, you can also adjust the time range or detection window for your risk incident rules to reduce the number of alerts. For example, you might want to reduce the time range from 24 hours to 12 hours to focus on user activities during peak periods of activity.

Follow these best practices to manage risk in your security environment:

Use Splunk Enterprise Security Risk-based Alerting

Related Answers

Managing risk using risk-based alerting in Splunk Enterprise Security

Comments